Cyware Daily Threat Intelligence, July 15, 2025

shutterstock 2243217919

Daily Threat Briefing July 15, 2025

A quiet but deliberate campaign is now zeroing in on Southeast Asia’s trade secrets. HazyBeacon, a newly identified Windows backdoor, is targeting government entities with an eye on sensitive tariff and trade data. It uses DLL side-loading and communicates through AWS Lambda URLs, helping it blend in with legitimate cloud activity while quietly collecting targeted documents.

Developers are once again in the crosshairs of North Korean threat actors. As part of the ongoing Contagious Interview campaign, attackers have pushed 67 malicious npm packages carrying XORIndex, a malware loader designed to steal browser data, crypto wallet info, and deploy Python-based backdoors. With over 17,000 downloads and manipulated package metrics, the threat is both widespread and deceptive.

An invisible prompt is all it takes to turn Gemini into a phishing assistant. Attackers are exploiting Google’s Gemini AI for Workspace by hiding malicious instructions in emails using HTML and CSS. When Gemini generates a summary, it unknowingly includes phishing content redirecting users to malicious sites. Suggested defenses focus on stripping hidden content and warning users not to rely on AI summaries for security cues.

Top Malware Reported in the Last 24 Hours

HazyBeacon malware uses AWS Lambda

A new cyber espionage campaign, identified as HazyBeacon, targets governmental organizations in Southeast Asia, aiming to collect sensitive information related to tariffs and trade disputes. This previously undocumented Windows backdoor utilizes DLL side-loading techniques, deploying a malicious DLL alongside a legitimate executable to establish communication with attacker-controlled URLs. Notably, HazyBeacon exploits AWS Lambda URLs for command-and-control purposes, allowing threat actors to blend in with legitimate cloud activities. The malware includes a file collector module that targets specific file types, particularly those related to recent U.S. tariff measures. 

North Korean hackers target npm registry

North Korean hackers associated with the Contagious Interview campaign have been deploying malicious npm packages to target developers in software supply chain attacks. They released 67 new packages containing the XORIndex malware loader, which has been downloaded over 17,000 times. These attacks aim to steal data from web browsers and cryptocurrency wallets while deploying Python backdoors. The campaign involves evolving malware variants and uses tactics like manipulating npm download metrics to appear legitimate.

New Android malware campaign spotted

McAfee Labs has identified an active Android malware campaign targeting Bengali-speaking users, particularly Bangladeshi expatriates. The malware impersonates trusted financial apps like TapTap Send and AlimaPay, distributed via phishing websites and fake Facebook pages. It collects sensitive personal and financial data, including photo IDs, and stores it on unsecured servers, posing significant privacy risks. The campaign targets Bangladeshi expatriates in countries like Saudi Arabia, the UAE, and Malaysia, leveraging their reliance on remittance apps.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Gigabyte motherboards

Dozens of Gigabyte motherboard models are vulnerable to UEFI malware that can bypass Secure Boot, allowing the installation of persistent bootkit malware. Researchers from Binarly identified four high-severity vulnerabilities in Gigabyte's firmware, which enable privilege escalation and unauthorized access to System Management RAM. These are tracked as CVE-2025-7029, CVE-2025-7028, CVE-2025-7027, CVE-2025-7026. These vulnerabilities arise from flaws in the System Management Mode and affect over 240 motherboard models, including various revisions and region-specific editions. Although Gigabyte has released firmware updates, many affected devices have reached end-of-life status and may remain unpatched. 

Google Gemini flaw enables phishing attacks

Google's Gemini AI for Workspace can be exploited to generate email summaries that appear legitimate but include hidden malicious instructions, redirecting users to phishing sites. The attack involves embedding invisible directives in the email body using HTML and CSS, which Gemini parses and executes when summarizing the email. An example showed Gemini generating a false security alert about a compromised Gmail password, including a fake support phone number. Suggested mitigations include removing hidden content, implementing post-processing filters to flag suspicious outputs, and educating users not to trust Gemini summaries for security alerts.

Related Threat Briefings